Zone Alarm Plus/Pro Program Options (Updated for ZAP v4.0)

With the release of Zone Alarm Pro v4.0, significant changes have been made to the mechanisms used to grant and restrict individual program access rights. The first two posts in this thread remain the same, but, below are updates that show how to achieve the same controls over Outlook Express using ZAP v4.0

[hr]
Many people run Zone Alarm Plus (ZA+) or Zone Alarm Pro (ZAP) without realizing that these products will allow them to configure some fairly advanced custom settings that can further enhance their PC's networking security. While not as configurable as most of the rules based firewalls, ZA+/ZAP do provide some additional capabilities that may be worth exploring in order to override some of the basic "set it and forget it" defaults that are provided by the Zone Alarm Free (ZAF) product.

In this post, I will give an overview of some of the advanced capabilities provided within the Program Controls interface of ZA+/ZAP and try to demonstrate a practical use for these capabilities.

Adjusting the advanced options on a program can limit that program's network access permissions and either block or permit its use of specified ports and protocols. For example, you could prevent a non-browser application from ever accessing port 80 and related HTTP ports, or restrict a program into having access to only a short list of allowed ports.

One use that I've made of this functionality was to prevent Microsoft's Outlook Express* from actually using any ports other than those required to access DNS, POP, SMTP and NNTP, thus preventing it from browsing to web sites which might have email usage tracking capability or web bugs.

Here's how this was configured. The screen shots are from Zone Alarm Plus v3.1.395, but any version of Zone Alarm Plus or Zone Alarm Pro should be able to accommodate these settings. First, here is a screen shot of the Program Control window itself:

To get to the advanced options for any program listed in ZA, highlight it (OE is in this case), and press the [Options] button. This will bring up the Program Options screen:

By default, the option to "Allow access to all ports and protocols" is set, however, in order to restrict OE access as noted above, select the "Allow access for ONLY the ports and protocols checked below" and then use the [Add] button to configure the necessary ports. (Note that ZA+/ZAP can also allow all ports EXCEPT for those entered in this screen, another very useful configuration option.)

Once this screen is OK'd, all future sessions of Outlook Express will be restricted to only using the specified ports and protocols. When OE next opens an HTML based message, no links to embedded images, web bugs, or any other browser based content will be accessed.

For additional security, if your ISP's DNS, Mail and News servers are entered into the Trusted (Local) Zone via Zone Alarm's "Firewall > Zones" interface, and all access to the Internet zone is blocked in the Program Control screen, then Outlook Express will be further restricted. This will prevent OE from hitting any site not in the trusted zone, which will significantly increase its security. (Note that you must enter your ISP's DNS servers, by IP address or IP range, to the Trusted Zone in order for OE to work if Internet access is blocked.)

The red X in the Access/Internet column prevents any access to sites not entered in the Trusted Zone. Since this feature is available on Zone Alarm Free, as well, it can provide users of that product significant security enhancement capabilities. (Since OE never needs "server rights", I have also blocked those capabilities.)

Since I use both the Internet Zone and custom port option restrictions on my system, Outlook Express runs with significantly less network access capabilities than the default configuration provides. This increases its security dramatically, while allowing OE to pick up and send all email and newsgroup posts.

Using these advanced program options in ZA+/ZAP can reduce the access rights of a number of the applications on a system. If you aren't sure of all the access needs of a given a program, you can setup the basic requirements and then run the program as usual, watching the ZA alerts, (or log viewer tab), to identify the ports and protocols that are being blocked and then enter them as necessary.

If you find you need to enable a port or port range not in the predefined list, you can select the "Custom..." option from the [Add] menu which gives you this screen:

Here a selected range of TCP and/or UDP ports can be entered. If a program needs just a single port enabled (or blocked), such as 443, then entering 443 in both boxes defining the range, will accomplish that.

Zone Alarm Plus and Zone Alarm Pro definitely have a number of configuration options available. This is just one example. Users of these products, or potential users, should take a look through the Zone Alarm Manuals loaded on their systems, or available for download from the Zone Labs website.

If anyone has additions, questions or comments, please post them or feel free to contact me directly via PM.

Regards,
LowWaterMark

* Please note that users of Outlook Express should verify that they have tightened their security settings as advised by Microsoft, as well as keeping current with any critical security patches as provided at the Windows Update site.
- MS link regarding OE: http://support.microsoft.com/support/kb/articles/q291/3/87.asp

Zone Alarm Pro v4.0 came out today (June 12, 2003) and it included a new "Expert Rules" capability covering both Global System Rules and Custom Application Rules.

This is quite a change. ZAP has always been an "application firewall" with fairly limited custom controls at both the global and application level. Previously, ZA+ and ZAP supported some simple system-wide allow/block settings (for incoming or outgoing ports & protocols), and some similar capabilities applied to the individual application level. (The posting above demonstrates the limited application custom controls that were possible in the ZAP 2.X and ZA+/ZAP 3.X versions. If you review the Outlook Express application settings above, you will quickly see the limitations in these custom settings.)

The following posts document how to achieve the same, or actually slightly better, restrictions for Outlook Express (as provided above) using the new ZAP v4.0 Expert Rules...

The panels and tabs in the new ZAP v4.0 look only slightly different from the v3.X releases except for the very significant addition of the new "Expert" tab on the Firewall panel, and the "Expert Rules" tab on the Program Options screen in the Program Control panel.

The old Program Options "Ports" and "Range of Ports" screens (show in images above) are now gone. In order to achieve the same access restrictions for Outlook Express when using the new ZAP v4.0, you'll need to configure some detailed rules as shown below.

The only image from above that is mostly the same from version 3.X to 4.0 is this one:

Except for the addition of the new column called "Send Mail", which basically allows or blocks the program in question from being able to send email messages, this screen looks the same.

You will still need to set the access restrictions, as shown in the screen above, as the primary means of restricting Outlook Express's access rights. Then when you press the [Options] button, you will get the screen below. This is where you need to define all the detailed rules to allow only DNS, POP3, SMTP and NNTP (News), and then block everything else.

Notice the 5 detailed rules shown in the screen image above. Each rule was added, one at a time, using the [Add] button on that screen.

Below is the "Add Rule" screen for the first rule, the one to allow Outlook Express to access DNS. The things to note in this image are:

1. State is "Enabled" (meaning that this rule is in use) versus "Disable"
2. Action is "Allow" (meaning DNS will be allowed) versus "Block"
3. Track is "None" (this is a logging setting) versus "Log" and "Alert & Log"
4. Source is "My Computer" (other options include: Trusted or Internet Zone, "Any", or specific IP addrs, ranges, etc.)
5. Destination is "Trusted Zone" (where my DNS servers have been added, but, could be done by IP addr, range, etc.)
6. Protocol - note: the text there is just descriptive, the actual settings are in a screen below...
7. Time - note: time restrictions are possible, but not used in this example.

Below is the detail screen used to further define what is shown in the "Protocol" section of the Add or Edit Rule screen.

The things to note in this screen (below) are:

1. Protocol is "UDP" (correct for a DNS rule) versus "TCP", "TCP & UDP" or "ICMP"
2. Description is just that, just a text decription that I chose and what is shown in the screen above. The more descriptive the better!
3. Destination Port is "53" (just DNS) versus setting another port or range of ports, or "Any".
4. Source Port is "Any" in this case. Technically a range of "1024-5000" should be okay, and while this did work for email transmission, some misc block messages were received. When set to "Any", these alerts did not occur. (I'll need to look into this further.)

Here is one more example before I show the block everything else rule. This is for SMTP mail server access. Note that in this case, as is also the case for the POP3 and NNTP (News) rules, I set the Source Port to the range "1024-5000". Only the DNS rule required the Source Port to be Any.

After making all your "allow" rules you need to close with a block everything else rule. The image below shows such a rule, and this rule is always left at the bottom of the list of rules - as a type of catch all final rule.

The things to note here are:

1. Action is "Block" for the first time in our rules list.
2. Track is "Alert and Log", which is not really necessary, but, by setting this you will be able to see what things ZAP is preventing Outlook Express from accessing. (If you get tired of the alerting and/or logging, you can set this to "None" just like the other rules.)
3. The 4 remaining sections are set to "Any" which will catch any and every other access made by OE.

The above updates were made to this thread to give everyone a quick overview of the new "Expert Rules" capabilities in Zone Alarm Pro v4.0. At some point I'll probably restructure this thread and/or make another thread to demonstrate and document more clearly these new capabilities.

So far, this new version of ZAP seems to be very stable, and is certainly much more customizable than the previous versions. Please note however that it is not necessary to actually use any of these advanced capabilities. ZAP may continue to be used exactly as it was in any of the 3.X versions, and it will provide the same protections. The Expert Rules are only used if they are set, otherwise, the default controls remain the same as in past versions.

With this new version of ZAP, Zone Labs has included a "backup and restore" capability so that all custom configurations, including the new expert rules, can be saved at various points and restored whenever needed.

Below is an extract from an XML backup file off my system which shows just the Outlook Express program configuration. (Please note this file is not meant to be used to create these rules, although it does appear to work, it is not support.)

I have attached the extract here as a TXT file (since that's what this forum supports) but rightly it would be .xml not .txt